<div dir="ltr"><div><div><div>Well, if the fixed version is released, then by definition the vulnerability is disclosed to those who have the motivation to exploit it.<br><br></div>Here is an example from 2014, Drupalgeddon.<br><br><a href="https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2014-10-15/sa-core-2014-005-drupal-core-sql">https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2014-10-15/sa-core-2014-005-drupal-core-sql</a><br><br></div><div>And here is the followup PSA two weeks after <br><br><a href="https://www.drupal.org/forum/newsletters/security-public-service-announcements/2014-10-29/drupal-core-highly-critical">https://www.drupal.org/forum/newsletters/security-public-service-announcements/2014-10-29/drupal-core-highly-critical</a><br><br></div>The fix was a single line:<br><br><a href="https://www.drupal.org/files/issues/SA-CORE-2014-005-D7.patch">https://www.drupal.org/files/issues/SA-CORE-2014-005-D7.patch</a><br><br></div>Anyone can diff the previous version to the new version and infer what the problem is, and write an exploit for it. And that is exactly what happened.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Mar 29, 2018 at 11:12 AM, Chris Irwin <span dir="ltr"><<a href="mailto:chris@chrisirwin.ca" target="_blank">chris@chrisirwin.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><span class=""><div class="gmail_quote">On Wed, Mar 28, 2018 at 10:51 PM, Bob Jonkman <span dir="ltr"><<a href="mailto:bjonkman@sobac.com" target="_blank">bjonkman@sobac.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="m_-4176646765512144156gmail-">Khalid wrote:<br>
> The FAQ is intentionally vague to make it hard(er) for exploiters.<br>
<br>
</span>Not meaning to pile on Khalid, but that hardly seems like "full<br>
disclosure" to me.<br></blockquote><br></div></span><div class="gmail_quote">I have no experience with Drupal, or their history of disclosure, but I think this kind of partial disclosure is common for serious vulnerabilities.<br><br></div><div class="gmail_quote">But I like the model that Gitlab uses. They release security updates immediately, referencing the appropriate CVEs, but wait 30 days for full disclosure. Not that exploits will take 30 days to reverse-engineer, but it at least should give a chance to have patched systems out there.<br><br></div><div class="gmail_quote">In the case of a super-serious flaw, they've gone as far as announcing ahead of time that the release is coming out at XX time on YY day, and be prepared to upgrade. For example:<br><br><a href="https://about.gitlab.com/2018/01/12/gitlab-critical-release-preannouncement/" target="_blank">https://about.gitlab.com/2018/<wbr>01/12/gitlab-critical-release-<wbr>preannouncement/</a><span class="HOEnZb"><font color="#888888"><br></font></span></div><span class="HOEnZb"><font color="#888888"><br>-- <br><div class="m_-4176646765512144156gmail_signature"><div dir="ltr">Chris Irwin<br><<a href="mailto:chris@chrisirwin.ca" target="_blank">chris@chrisirwin.ca</a>></div></div>
</font></span></div></div>
<br>______________________________<wbr>_________________<br>
kwlug-disc mailing list<br>
<a href="mailto:kwlug-disc@kwlug.org">kwlug-disc@kwlug.org</a><br>
<a href="http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org" rel="noreferrer" target="_blank">http://kwlug.org/mailman/<wbr>listinfo/kwlug-disc_kwlug.org</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>Khalid M. Baheyeldin<br><a href="http://2bits.com" target="_blank">2bits.com</a>, Inc.<br>Fast Reliable Drupal<br>Drupal optimization, development, customization and consulting.<br>Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra<br>Simplicity is the ultimate sophistication. -- anonymous<br><br></div></div></div>
</div>